Tue, 22 Oct 2002 21:12:21 +0200, tu as dit : > Ok,but in order to set the policy at DROP,which port/protocols I have to set at ACCEPT to allow nmap from firewall box to anywhere nad from LAN to anywhere? If you don't block OUTPUT and allow ESTABLISHED and RELATED packets in INPUT, you don't need to open extra ports. Maybe some extra icmp for "weird" scans, that's all. -- Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr GSM : 06.71.47.18.22 (in France) ICQ UIN : 7299959 Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org